5 keys to success when implementing IAM
IAM implementation is not a project that should be undertaken lightly. Spanning several years, the implementation of Identity and Access Management will impact on internal users, applications, and processes and potentially also on your customers if they need access to your applications, one way or another. While IAM may be primarily viewed as a technology solution, it is not. Over the years the focus has been shifting from security to digital business enablement. Implementing IAM will hold both business and technology components.
Based on our own experience, customer cases and analyst advice, we have drawn up a list of best practices to get the most out of your IAM implementation.
Read on to learn all about these best practices:
- Embed the program in the company
- Create a long-term roadmap for IAM implementation
- Decide on build vs buy
- Define IAM roles and responsibilities
- Make user experience your top priority
1. Embed the program in the company
Whatever the scope of your IAM implementation, know that many internal users will be impacted. It is important to ensure that everyone knows what is going to happen, but also why it is happening, what it will mean to their daily activities and how you will help them cope with the changes that are coming.
Implementing IAM needs to be cross-functional
Consult with the different divisions in the company about the program and ensure buy-in from the different business teams: sales, marketing, support, finance, HR, … By turning an IAM implementation into a cross-departmental exercise, you may find more business cases that support the investment, further cementing the program as a benefit to the entire company.
All these business objectives have a lot to gain by a ramp-up of IAM.
Find an executive sponsor for your IAM implementation
Whether your IAM implementation is transversal or not, it’s imperative to have an executive sponsor for your program, to ensure the project stays top of mind at board level. Having an executive sponsor on your steerco will guarantee your implementation gets the necessary resources, regardless of changes in the market.
Moreover, IAM is becoming a business enabler. This means the people in charge of the program need to speak business language in order to be understood. An IAM program will be judged on the basis of business results, not on technical finesses.
2. Create a long-term roadmap
An IAM implementation is not a simple project with a limited timeframe. Some analysts compare it to an iceberg, with significant substance beneath the surface of proposed initiatives. This requires a formal long-term program that is aligned to business goals, with several phases and proper governance. Research shows that organizations without a formal program spend 40% more on an IAM implementation than enterprises that do have such a program.
IAM implementation supports business transformation
Programs that get the most buy-in (and a constant flow of resources and budget) are those that support a long-term business transformation. Not only do you need to know where you are now, but also where you want to be in a couple of years. Plant your flag on a mountain top and decide what stages are necessary to get to that top. By laying down a roadmap for IAM implementation that is agreed to by different stakeholders, you create transparency on the process and you can refer to that approved roadmap whenever objections are made along the way. Depending on the current situation and your end goal, a roadmap may very well extend over several years. Stick to the roadmap as much as possible, but leave a little room for flexibility, as market conditions and business strategy may change.
3. Decide on build vs. buy
Over the years, many organizations have built their own version of an IAM platform. When they started out using IAM, the business case was limited in scope and was not deemed important enough to warrant an extensive market study, investment in a new tool or re-training of technical personnel. What’s more, organizations saw their situation as so unique that it was impossible to capture it in an ‘off-the-shelf’ solution.
However, as time passed, new business cases popped up, sometimes requiring API security, support of new Identity Providers, authentication methods and security protocols. That’s when the limitations of a ‘build’ strategy come to the surface. That’s when the time comes to reconsider the build strategy and opt for a solution that comes with rich functionality, yet is customizable to support the uniqueness of your business.
TrustBuilder.io fits the description of that solution. TrustBuilder comes with a vast number of plug-and-play connections to a host of service- and identity providers, doing away with customer development. Our open-system architecture provides the basis for unique flexibility, while the use of Docker containers delivers fast and cost-effective deployment. Industry templates, standardized workflow configurations and out-of-the box connections deliver built-in expertise and reusability.
4. Define IAM roles and responsibilities
An IAM program is a large program, so setting up a good governance structure is key. Many people will be involved, both from in- and outside of the company, if you are working with an external service partner for part of the implementation process. Project governance guides and directs specific initiatives and represents an ongoing communication and collaboration effort. IAM governance bodies will meet regularly and the roles and responsibilities of everyone involved need to be mapped out, for instance as per the RACI principles: responsible, accountable, consulted, and informed.
Does your IAM implementation have a single point of contact?
When external service providers are involved, it’s important to have a single point of contact on each side to streamline communications. Ensure internal and external teams work at the same speed, and the external service providers are not delayed in their action due to slow internal decision-making. This necessitates the involvement of a senior manager who has decision-making powers and who follows the project closely enough to be empowered to make informed decisions.
5. Make user experience your top priority
If the number of customer smiles were a KPI, many IT projects would get bad grades. All too often, we get stuck in technical details and getting all the details right. As delivering a great customer experience has become an imperative for external and internal users, IAM programs need to cater to the convenience of the end-user also. Make access to applications as easy as possible, while retaining airtight security. Making access easy prohibits complex authentication methods or combinations of long passwords and usernames. The future of authentication is passwordless and, some say, even contactless.
Think of the users when you implement IAM
When building an IAM program, keep in mind who the users are and see how they can best be serviced. If you are collaborating with external partners, be sure to support federated authentication. For instance, if you are an insurance company working with brokers, their employees will want to log in using the company’s credentials. So, you will want to support federated authentication. In the case of consumers, you want to keep the threshold as low as possible, while maintaining the highest level of security, allowing them, for instance, to bring their own authentication (BYOAuth).
BYOAuth can be as simple as a username and password but you can give your customers the choice to increase their security by allowing them to add their preferred login methods such as Facebook login, AppleID, Google… or even add the strong authentication methods they use such as the Google Authenticator or national ID authentication mechanisms.